Scammer Groups Are Exploiting Gmail 'Dot Accounts' For Online Fraud

Cyber-criminal groups are exploiting a Gmail feature to file for fraudulent unemployment benefits, file fake tax returns, and bypass trial periods for online services. From a report: The trick is an old one and has been used in the past. It refers to Gmail's "dot accounts," a feature of Gmail addresses that ignores dot characters inside Gmail usernames, regardless of their placement. For example, Google considers john.doe@gmail.com, jo.hn.doe@gmail.com, and johndoe@gmail.com as the same Gmail address. Regular users have been using this feature for years to to register free trial accounts at online services using the same email address, but spelled out in different ways.

In a report published today, the team at email security firm Agari says it saw criminal groups use dotted Gmail addresses in many more places all last year. In an example included in their report, Agari said it saw one group in particular use 56 "dotted" variations of a Gmail address to, among other things, submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit.

Re:Plus (+) trick

[aardvarkjoe]

Some web forms see the plus char as invalid.

In my experience it's most. And even if you get it past the client-side filter, it sometimes will cause the web site to break in interesting ways -- for instance, I've found cases where a site will accept a "+" address to register for an account, but then you can't actually use it to log in...

I tried using it for a while to help me filter emails and keep track of who was selling my address, but it's broken on too many sites to be worth even making the attempt. I could report the problem, but most site owners won't bother fixing it, and it defeats the purpose of having easy-to-use aliases if I have to contact support every time I want to use one.

I really wish that Google would offer a simple alias / disposable email service linked to Gmail that would work on most websites. Dot addresses could help (since most sites will allow a dot, at least), but they're pretty limited.

Re:And?

[drinkypoo]

me thinks I know why you get all that E-mail and get victimized by identity theft all the time...You respond.

Mostly, I don't. And those who I do respond to, I'm not giving any additional information to them, so I'm not helping them steal my identity.

DUMP SPAM into the trash. Don't answer, just trash can it.

Yes, that's what I do with spam. Thanks for nothing, AC.

It's quite simple, my identity gets stolen more than those of other people because of my hispanic name. People who have the same name have used my SSN for work, or to buy a car they never paid off. Then a court in Nevada City, CA granted a judgement against my SSN based on that person's debt. The evidence of debt was my SSN written on a check cashing card, by hand no less. The court that accepted that as evidence is corrupt. You can't have identity theft without corruption.